buran | 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a

Analysis

max time kernel
150s
max time network
125s
platform
windows10_x64
resource
win10v20201028
submitted
29-12-2020 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
Size

214KB
MD5

b130cfd3d346bd719bd1e38f051768d2
SHA1

de29701a3f0d6c24a6e10717e35379ed702db868
SHA256

4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a
SHA512

33811ddb6ff9715e337bcbb0923b23cdc0e8ee8dca1cb7d85a175e5d40e7deb3c23fbe0010b829b8289de86268440e6806ee5df06447c8102707c84e8389222e

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kevin.2021@yandex.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kevin.2021@yandex.com Reserved email: maarten.2021@yandex.com Your personal ID: 123-666-694 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

kevin.2021@yandex.com

maarten.2021@yandex.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

smss.exesmss.exe

pid process

2636 smss.exe
584 smss.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2628 notepad.exe

pid	process
2628	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\R:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 geoiptool.com

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 23888 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-16.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-US\doc_offline_getconnected.xml	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms	smss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\Print.scale-140.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_altform-unplated_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6478_32x32x32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-100.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png.123-666-694	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties	smss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa.123-666-694	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.123-666-694	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Preview.scale-100_layoutdir-LTR.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gw_16x11.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif.123-666-694	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml.123-666-694	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.123-666-694	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.123-666-694	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit.svg	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.123-666-694	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF.123-666-694	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeWideTile.scale-200_contrast-white.png	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main.css.123-666-694	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar.123-666-694	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.surprise.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css.123-666-694	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell-2x.png.123-666-694	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.123-666-694	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sx_60x42.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png.123-666-694	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.123-666-694	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Lightning bolt_icon.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8201_40x40x32.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main-selector.css	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\io_16x11.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\error-icon.png.123-666-694	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js.123-666-694	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js	smss.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1364 vssadmin.exe
2456 vssadmin.exe

pid	process
1364	vssadmin.exe
2456	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe

Suspicious behavior: EnumeratesProcesses 7854 IoCs

Processes:

smss.exe

pid	process
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe
2636	smss.exe

Suspicious use of AdjustPrivilegeToken 89 IoCs

Processes:

4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
Token: SeDebugPrivilege	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe
Token: SeSystemProfilePrivilege	2552	WMIC.exe
Token: SeSystemtimePrivilege	2552	WMIC.exe
Token: SeProfSingleProcessPrivilege	2552	WMIC.exe
Token: SeIncBasePriorityPrivilege	2552	WMIC.exe
Token: SeCreatePagefilePrivilege	2552	WMIC.exe
Token: SeBackupPrivilege	2552	WMIC.exe
Token: SeRestorePrivilege	2552	WMIC.exe
Token: SeShutdownPrivilege	2552	WMIC.exe
Token: SeDebugPrivilege	2552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2552	WMIC.exe
Token: SeRemoteShutdownPrivilege	2552	WMIC.exe
Token: SeUndockPrivilege	2552	WMIC.exe
Token: SeManageVolumePrivilege	2552	WMIC.exe
Token: 33	2552	WMIC.exe
Token: 34	2552	WMIC.exe
Token: 35	2552	WMIC.exe
Token: 36	2552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	448	WMIC.exe
Token: SeSecurityPrivilege	448	WMIC.exe
Token: SeTakeOwnershipPrivilege	448	WMIC.exe
Token: SeLoadDriverPrivilege	448	WMIC.exe
Token: SeSystemProfilePrivilege	448	WMIC.exe
Token: SeSystemtimePrivilege	448	WMIC.exe
Token: SeProfSingleProcessPrivilege	448	WMIC.exe
Token: SeIncBasePriorityPrivilege	448	WMIC.exe
Token: SeCreatePagefilePrivilege	448	WMIC.exe
Token: SeBackupPrivilege	448	WMIC.exe
Token: SeRestorePrivilege	448	WMIC.exe
Token: SeShutdownPrivilege	448	WMIC.exe
Token: SeDebugPrivilege	448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	448	WMIC.exe
Token: SeRemoteShutdownPrivilege	448	WMIC.exe
Token: SeUndockPrivilege	448	WMIC.exe
Token: SeManageVolumePrivilege	448	WMIC.exe
Token: 33	448	WMIC.exe
Token: 34	448	WMIC.exe
Token: 35	448	WMIC.exe
Token: 36	448	WMIC.exe
Token: SeBackupPrivilege	2164	vssvc.exe
Token: SeRestorePrivilege	2164	vssvc.exe
Token: SeAuditPrivilege	2164	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe
Token: SeSystemProfilePrivilege	2552	WMIC.exe
Token: SeSystemtimePrivilege	2552	WMIC.exe
Token: SeProfSingleProcessPrivilege	2552	WMIC.exe
Token: SeIncBasePriorityPrivilege	2552	WMIC.exe
Token: SeCreatePagefilePrivilege	2552	WMIC.exe
Token: SeBackupPrivilege	2552	WMIC.exe
Token: SeRestorePrivilege	2552	WMIC.exe
Token: SeShutdownPrivilege	2552	WMIC.exe
Token: SeDebugPrivilege	2552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2552	WMIC.exe
Token: SeRemoteShutdownPrivilege	2552	WMIC.exe
Token: SeUndockPrivilege	2552	WMIC.exe
Token: SeManageVolumePrivilege	2552	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exesmss.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 2636	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	smss.exe
PID 1156 wrote to memory of 2636	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	smss.exe
PID 1156 wrote to memory of 2636	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	smss.exe
PID 1156 wrote to memory of 2628	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	notepad.exe
PID 1156 wrote to memory of 2628	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	notepad.exe
PID 1156 wrote to memory of 2628	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	notepad.exe
PID 1156 wrote to memory of 2628	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	notepad.exe
PID 1156 wrote to memory of 2628	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	notepad.exe
PID 1156 wrote to memory of 2628	1156	4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe	notepad.exe
PID 2636 wrote to memory of 3176	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 3176	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 3176	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 2460	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 2460	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 2460	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 4084	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 4084	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 4084	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 3948	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 3948	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 3948	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 528	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 528	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 528	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 3204	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 3204	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 3204	2636	smss.exe	cmd.exe
PID 2636 wrote to memory of 584	2636	smss.exe	smss.exe
PID 2636 wrote to memory of 584	2636	smss.exe	smss.exe
PID 2636 wrote to memory of 584	2636	smss.exe	smss.exe
PID 528 wrote to memory of 2456	528	cmd.exe	vssadmin.exe
PID 528 wrote to memory of 2456	528	cmd.exe	vssadmin.exe
PID 528 wrote to memory of 2456	528	cmd.exe	vssadmin.exe
PID 3176 wrote to memory of 2552	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 2552	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 2552	3176	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 448	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 448	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 448	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 1364	3204	cmd.exe	vssadmin.exe
PID 3204 wrote to memory of 1364	3204	cmd.exe	vssadmin.exe
PID 3204 wrote to memory of 1364	3204	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
"C:\Users\Admin\AppData\Local\Temp\4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1364

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:4084

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:2628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
61466c45ced4d83183fdb25396d4031c

SHA1
28a0f84a224cfddee721d7aa7cc5b54176358108

SHA256
1c3119bf6b52b905a989b256f6d40bf6d0150eb5485f5c416362a439e620e4f9

SHA512
152535df0af05a287d4435e702c9fc86195e61296e825b9bd67311054524bbeeb898aa4b23393c5af5d4f5fa2471fbe56b3d85964036d22b5ba751c8b3423e9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
21ef137d48d04fc9be98c2674223aa7d

SHA1
2c596c1c53112a535400e16fe124987aa665055c

SHA256
d265ed9b6513b4a1bc4b7b26f3f59b1ed4d0cf1aeb37bc0d38ec91b4658cc0e0

SHA512
f95cf62b52edf668adf1779d07bde1c68c29b848ec713270111b3fa2bc01edbdbbc5cfc958229c6e92567f4196285e935a2f922bbdcac80f9103ba15e832491a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
9d7369bfa72ae89d1d752ba17df6c22e

SHA1
ec6dad338b059d7bffbf47f84cf3c638226a0d82

SHA256
8ba91b47832e7c92ce4aec0255ae6511d12f7f92201d8d1db21d37f81a190030

SHA512
3cc58981fdaffa95022fbf13d7b0535ef0d1700fffda235a46902f9b9d9ac83458d8444aedae99b8392ee62d0151eea5f67d991bf538aa0919fcd5b6f7ae41f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
5470a980209672478f1536cb99456607

SHA1
899436319a8a3337f5bdf75bb46d240f2bc81c0c

SHA256
3f3b750ae83fdae6056705b81f1251ba30617e1e73d5478a627a66f3dc9bc7c5

SHA512
a8c34a459128657cec2f00402048f9ba9bd9d3575931a7312b09005310c0c1cf214ac55c6cc5d11bd846033b6bc5b62a43f068673f977c393872a904c6ebed65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
489925b75edf65bff01cf1257804443f

SHA1
6813f05404c3170c11ddc5ff20f01b38db0f78a7

SHA256
a60e61b0fffac84b5bf44a433a26c41ca46b99c8d984461a2a2fd2f4b18f139c

SHA512
6a3c2d8228f7ac54390913664588c95c5e7af5caea48e66e1daeec9d8d9cc8c96e704fbad66f48d08efe776f44f02b3fc8815011ee367364d437f8da6e2a00cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b21a6041b59598bd241e5c1b3078110f

SHA1
42335ee6430ac70fc8ac5a7c40214206050d7d44

SHA256
115966b9525b5cbf8632b51f53bffe3440ebf65104232917c14ff55779bd10e9

SHA512
a68c97302e5154c87251e2e7bb8eb54d07b2f95121494e5e0647fa71cd300cd655d73179c21bc71091987e586f47b753d3d9b1f7cf7ab623a9a1a2147c09f664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\RON2FB61.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\9KG7416N.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
b130cfd3d346bd719bd1e38f051768d2

SHA1
de29701a3f0d6c24a6e10717e35379ed702db868

SHA256
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a

SHA512
33811ddb6ff9715e337bcbb0923b23cdc0e8ee8dca1cb7d85a175e5d40e7deb3c23fbe0010b829b8289de86268440e6806ee5df06447c8102707c84e8389222e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
b130cfd3d346bd719bd1e38f051768d2

SHA1
de29701a3f0d6c24a6e10717e35379ed702db868

SHA256
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a

SHA512
33811ddb6ff9715e337bcbb0923b23cdc0e8ee8dca1cb7d85a175e5d40e7deb3c23fbe0010b829b8289de86268440e6806ee5df06447c8102707c84e8389222e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
b130cfd3d346bd719bd1e38f051768d2

SHA1
de29701a3f0d6c24a6e10717e35379ed702db868

SHA256
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a

SHA512
33811ddb6ff9715e337bcbb0923b23cdc0e8ee8dca1cb7d85a175e5d40e7deb3c23fbe0010b829b8289de86268440e6806ee5df06447c8102707c84e8389222e

Download Submit
memory/448-26-0x0000000000000000-mapping.dmp

Download
memory/528-19-0x0000000000000000-mapping.dmp

Download
memory/584-21-0x0000000000000000-mapping.dmp

Download
memory/1364-27-0x0000000000000000-mapping.dmp

Download
memory/2456-23-0x0000000000000000-mapping.dmp

Download
memory/2460-16-0x0000000000000000-mapping.dmp

Download
memory/2552-24-0x0000000000000000-mapping.dmp

Download
memory/2628-5-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2628-6-0x0000000000000000-mapping.dmp

Download
memory/2636-2-0x0000000000000000-mapping.dmp

Download
memory/3176-15-0x0000000000000000-mapping.dmp

Download
memory/3204-20-0x0000000000000000-mapping.dmp

Download
memory/3948-18-0x0000000000000000-mapping.dmp

Download
memory/4084-17-0x0000000000000000-mapping.dmp

Download